Module: EscapeUtils
- Extended by:
- EscapeUtils
- Included in:
- EscapeUtils
- Defined in:
- lib/escape_utils.rb,
lib/escape_utils/version.rb,
lib/escape_utils/html_safety.rb,
ext/escape_utils/escape_utils.c
Defined Under Namespace
Modules: HtmlSafety
Constant Summary collapse
- VERSION =
"0.3.2"
Class Method Summary collapse
-
.html_safe_string_class ⇒ Object
Default String class to return from HTML escaping.
- .html_safe_string_class=(val) ⇒ Object
-
.html_secure ⇒ Object
turn on/off the escaping of the ‘/’ character during HTML escaping Escaping ‘/’ is recommended by the OWASP - www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content This is because quotes around HTML attributes are optional in most/all modern browsers at the time of writing (10/15/2010).
- .html_secure=(val) ⇒ Object
Instance Method Summary collapse
- #escape_html(*args) ⇒ Object
-
#escape_html_as_html_safe(str) ⇒ Object
HTML methods.
-
#escape_javascript(str) ⇒ Object
JavaScript methods.
-
#escape_uri(str) ⇒ Object
URI methods.
-
#escape_url(str) ⇒ Object
URL methods.
-
#escape_xml(str) ⇒ Object
XML methods.
- #unescape_html(str) ⇒ Object
- #unescape_javascript(str) ⇒ Object
- #unescape_uri(str) ⇒ Object
- #unescape_url(str) ⇒ Object
Class Method Details
.html_safe_string_class ⇒ Object
Default String class to return from HTML escaping
16 17 18 |
# File 'lib/escape_utils.rb', line 16 def self.html_safe_string_class @html_safe_string_class end |
.html_safe_string_class=(val) ⇒ Object
66 67 68 69 70 71 72 73 74 75 76 |
# File 'ext/escape_utils/escape_utils.c', line 66
static VALUE rb_eu_set_html_safe_string_class(VALUE self, VALUE val)
{
Check_Type(val, T_CLASS);
if (rb_funcall(val, rb_intern("<="), 1, rb_cString) == Qnil)
rb_raise(rb_eArgError, "%s must be a descendent of String", rb_class2name(val));
rb_html_safe_string_class = val;
rb_ivar_set(self, rb_intern("@html_safe_string_class"), val);
return val;
}
|
.html_secure ⇒ Object
turn on/off the escaping of the ‘/’ character during HTML escaping Escaping ‘/’ is recommended by the OWASP - www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content This is because quotes around HTML attributes are optional in most/all modern browsers at the time of writing (10/15/2010)
10 11 12 |
# File 'lib/escape_utils.rb', line 10 def self.html_secure @html_secure end |
.html_secure=(val) ⇒ Object
54 55 56 57 58 59 |
# File 'ext/escape_utils/escape_utils.c', line 54
static VALUE rb_eu_set_html_secure(VALUE self, VALUE val)
{
g_html_secure = RTEST(val);
rb_ivar_set(self, rb_intern("@html_secure"), val);
return val;
}
|
Instance Method Details
#escape_html(*args) ⇒ Object
136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 |
# File 'ext/escape_utils/escape_utils.c', line 136
static VALUE rb_eu_escape_html(int argc, VALUE *argv, VALUE self)
{
VALUE str, rb_secure;
gh_buf buf = GH_BUF_INIT;
int secure = g_html_secure;
if (rb_scan_args(argc, argv, "11", &str, &rb_secure) == 2) {
if (rb_secure == Qfalse) {
secure = 0;
}
}
Check_Type(str, T_STRING);
check_utf8_encoding(str);
if (houdini_escape_html0(&buf, (const uint8_t *)RSTRING_PTR(str), RSTRING_LEN(str), secure)) {
VALUE result = eu_new_str(buf.ptr, buf.size);
gh_buf_free(&buf);
return result;
}
return str;
}
|
#escape_html_as_html_safe(str) ⇒ Object
HTML methods
105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
# File 'ext/escape_utils/escape_utils.c', line 105
static VALUE rb_eu_escape_html_as_html_safe(VALUE self, VALUE str)
{
VALUE result;
int secure = g_html_secure;
gh_buf buf = GH_BUF_INIT;
Check_Type(str, T_STRING);
check_utf8_encoding(str);
if (houdini_escape_html0(&buf, (const uint8_t *)RSTRING_PTR(str), RSTRING_LEN(str), secure)) {
result = eu_new_str(buf.ptr, buf.size);
gh_buf_free(&buf);
} else {
#ifdef RBASIC
result = rb_str_dup(str);
#else
result = str;
#endif
}
#ifdef RBASIC
RBASIC(result)->klass = rb_html_safe_string_class;
#else
result = rb_funcall(rb_html_safe_string_class, ID_new, 1, result);
#endif
rb_ivar_set(result, ID_at_html_safe, Qtrue);
return result;
}
|
#escape_javascript(str) ⇒ Object
JavaScript methods
178 179 180 181 |
# File 'ext/escape_utils/escape_utils.c', line 178
static VALUE rb_eu_escape_js(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_escape_js);
}
|
#escape_uri(str) ⇒ Object
URI methods
206 207 208 209 |
# File 'ext/escape_utils/escape_utils.c', line 206
static VALUE rb_eu_escape_uri(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_escape_uri);
}
|
#escape_url(str) ⇒ Object
URL methods
192 193 194 195 |
# File 'ext/escape_utils/escape_utils.c', line 192
static VALUE rb_eu_escape_url(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_escape_url);
}
|
#escape_xml(str) ⇒ Object
XML methods
169 170 171 172 |
# File 'ext/escape_utils/escape_utils.c', line 169
static VALUE rb_eu_escape_xml(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_escape_xml);
}
|
#unescape_html(str) ⇒ Object
160 161 162 163 |
# File 'ext/escape_utils/escape_utils.c', line 160
static VALUE rb_eu_unescape_html(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_unescape_html);
}
|
#unescape_javascript(str) ⇒ Object
183 184 185 186 |
# File 'ext/escape_utils/escape_utils.c', line 183
static VALUE rb_eu_unescape_js(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_unescape_js);
}
|
#unescape_uri(str) ⇒ Object
211 212 213 214 |
# File 'ext/escape_utils/escape_utils.c', line 211
static VALUE rb_eu_unescape_uri(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_unescape_uri);
}
|
#unescape_url(str) ⇒ Object
197 198 199 200 |
# File 'ext/escape_utils/escape_utils.c', line 197
static VALUE rb_eu_unescape_url(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_unescape_url);
}
|